The Beyond Identity Authenticator can now be configured to allow a user to switch between different machines that are joined in an Active Directory domain without having to re-enroll each time when logging into a different machine. This is accomplished by creating a profile containing a shared Passkey that can roam between different machines joined to Active Directory. The passkey is stored in the users profile and shared via Windows Folder Redirection.
This is recommended for specific and limited devices and use cases only. For example, this can be used with non-persistent VDI machines with additional policy controls around it to avoid an end user having to create a passkey each time a VDI machine is started.
To allow a user to share Passkeys across different machines, the system administrator must perform the following steps:
-
Set a value in the Windows Registry of machines in scope for leveraging a shared software passkey
-
Enable Windows Folder Redirection or alternate method syncing users' %appdata%\BeyondIdentity folder (Windows folder syncing is out of scope for this article)
Once configured, the Passkey in the roaming profile is available and viewable in the Authenticator whenever a user logs into a new machine with the registry key and folder redirection configured. Clicking on “About this Profile” will display information that the Passkey is stored in the software.
To set the Windows Registry and enable passkey storage in software:
Set the registry value as follows:
Registry Key |
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\BeyondIdentity\Authenticator |
Registry Key Value |
SHARED_PROFILES |
Type |
DWORD |
Value |
0 = Disables shared profiles 1 = Enables shared profiles |
When Value is not present, the default is Disabled.
This will set the Beyond Identity authenticator to store and read passkeys from %appdata%\BeyondIdentity.
Comments
0 comments
Please sign in to leave a comment.